ISO 27018 versions

ISO 27018:2019 has introduced only minor changes and corrections, which do not impact controls application:

• It makes clearer that ISO 27018 is not a certifiable standard, but supports the application of ISO 27001, which is the certifiable standard 
• change in the use of verbs (e.g., "may" and "can") to simplify the presentation of what an organization can be responsible for
• addition of a "General" section at the beginning of the Public Cloud Processor Extended Control Set for PII Protection (this new section does not add new controls).

In short, these issues do not require immediate changes for those which applies these controls.

Thank you very much.

Hi Leat, can you give me some guidance, please. AWS, Google and so on are certified in this standard ISO/IEC 27018:2019, by E&Y, BSI etc. How they are doing this?

Please note that ISO 27018 is not a certifiable standard. What happens, depending on the hired certification body, is that it "certifies" against ISO 27018 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series. The certification body includes in the certification a statement that the organization is also compliant with ISO 27018. The surveillance audits will be the same as for a normal ISO 27001 certification, normally one each year.

These articles can provide further information:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Thans

Regards